Share via

Access to Azure Active Directory Subscription - My Role: Unknown

Nick 1 Reputation point
2020-04-27T09:07:49.287+00:00

In portal.azure.com I have two subscriptions.

One of them is the subscription named "Access to Azure Active Directory". As far as I can understand, this subscription was created automatically via the Office 365 subscription I have.

My profile is a Global Administrator. However, I cannot access "Access to Azure Active Directory" subscription as a Global Administrator or with Global Administrator rights. More specifically, when I view "My permissions" in "Access to Azure Active Directory" subscription, it says "You are an administrator on the subscription".

But, when for example I try to view "Activity log" or "Access control (IAM)" in "Access to Azure Active Directory" subscription, it says "DisallowedOperation: The current subscription type is not permitted to perform operations on any provider namespace. Please use a different subscription."

So, how is it possible to be an administrator on "Access to Azure Active Directory" subscription and also not able to do any action as an administrator?

Any help would be much appreciated.

Regards,
Nick

Microsoft Security | Microsoft Entra | Microsoft Entra ID

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Komorebi 21 Reputation points
    2020-08-07T08:49:00.017+00:00

    Came across this question and this Blog post which had the answer about this same Subscription name.
    It's a legacy Subscription. Detail below and in the Blog post.

    https://www.jasonfritts.me/2020/04/07/what-is-the-access-to-azure-active-directory-subscription-for/#:~:text=The%20%E2%80%9CAccess%20to%20Azure%20Active%20Directory%E2%80%9D%20subscriptions%20are%20a%20legacy,portal.azure.com).

    History of the Access to Azure Active Directory subscription

    The “Access to Azure Active Directory” subscriptions are a legacy subscription type that are no longer used. They were used prior to the current Azure Portal (https://portal.azure.com).

    At that time the classic Azure portal (https://manage.windowsazure.com) that was used to manage Azure Active Directory and other Azure resources only allowed access if the user had a Azure subscription associated to their user account. It utilized the classic Azure roles such as “Subscription Admin” \ “Billing Admin” \ and “Co-Administrator” only so you had to have one of these roles in order to login. It did not take into account Azure AD roles like Global Administrator etc.

    4 people found this answer helpful.
    0 comments
  2. soumi-MSFT 11,831 Reputation points Microsoft Employee Moderator
    2020-04-27T10:46:13.157+00:00

    @Nick , The error "Disallowed Operation" is usually thrown by an Azure Service when someone tries to perform any task on it without any proper permission.

    Make sure you are either an owner on the subscription or you are the service administrator or co-admin in Azure Subscription to be able to make changes or play around with the Azure Services. if you just want to check any specific Azure Resource, make sure you are added on that Azure Resource with proper permission under IAM section of that resource.

    A Global Admin is only for Azure AD and not for the Azure Services.

    As for me I am a Global Admin of my tenant but also an owner on the subscription.

    7600-subscription.png

    Do check the permissions on the resource or on the subscription level and make sure you have proper permissions. Do share a screenshot for us to understand better in case there are more queries around this.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.
    0 comments
  3. Nick 1 Reputation point
    2020-04-27T10:58:31.38+00:00

    @soumi-MSFT , It seems that I cannot access the IAM for that resource, although I am an admin for that resource. It seems like a deadlock.

    7712-s1.png

    7742-s2.png

    7692-s3.png

  4. absoblogginlutely 136 Reputation points
    2024-05-24T13:34:47.71+00:00

    Really poor handling of this - I also got this notification for one subscription at a client who has 3 of these subscriptions for some reason.

    The email gives no indication of the client which makes it hard to troubleshoot, however you can get the tenant id with the following.

    function get-tenantIdFromSubscriptionID($subId){

    $response = try {(Invoke-WebRequest -UseBasicParsing -Uri "https://management.azure.com/subscriptions/$($subId)?a pi-version=2015-01-01" -ErrorAction Stop).BaseResponse} catch { $_.Exception.Response }

    $stringHeader = $response.Headers.ToString() return($stringHeader.SubString($stringHeader.IndexOf("login.windows.net")+18,36))

    }

    get-tenantIdFromSubscriptionID("cd78--guidfromthemailgoeshere--de")

    This at least enabled me to find the tenant from the partner portal.

    Our distributor wasn't able to assist as they don't have access to the subscription as it's not purchased through them and attempting to log a support ticket directly online also fails asking me to call but then you end up with Office365 support and not Azure subscription support.

    At least I now have confirmation of what was going on. I suspected this was the case but wanted to be 100% sure.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.